3 façons de repenser et simplifier l’architecture DNS des Telco-ISPs

Cyber-attacks and data leaks among telecommunication providers are a hot topic, especially after the DNS DDoS attack on UK’s ISP TalkTalk in October 2015. Four million customers were informed their sensitive personal information, including bank details, may have been stolen by hackers. Cyber attacks are now clearly strategic threats for telcos, many of whom have fundamental issues related to the modernization of their core systems which have often evolved as the result of several merges and often not robust enough to fend off even basic DNS threats.

The authors of the Cisco 2016 Security Report emphasize DNS security ought to be a priority for IT organizations and suggests they do not hesitate to increase investments into DNS security. The world is aware of the problem, so why is it so hot right now?

Globally, Internet traffic has multiplied fivefold since 2010, and will triple by 2019, driven by the rise of mobile applications, mass video usage, the Internet of Things and Cloud services. To remain competitive, telcos need to meet this demand, whilst guaranteeing the availability and performance of their networks. This means telco DNS security must improve. Sounds simple, but it’s not.

Telcos’ main challenges relate to their performance, which thanks to customer expectations and rising traffic levels, needs to be constantly improved. This becomes particularly onerous as they experience more and more sophisticated attacks like DNS DoS, and requires advanced traffic analysis which identifies and mitigates attacks without any false positives.

In practice, managing the network and sufficiently protecting the architecture can be two directly competing priorities. Due to the limited performance of existing legacy technologies, both in terms of DNS requests handling and security, architectures have become too complicated – the stacking of DNS servers, load balancers and multiple layers of firewalls make them complex to deploy, costly to maintain and worse, unsuitable to properly protect DNS servers.

Such complex architectures turn out to be ineffective against many attacks such as DDoS, Zero-Day vulnerabilities or data exfiltration, and require the centralization of the DNS services platform to mutualize costs while decreasing user experience quality with increased latency.

The limitations of most of the current DNS security models are related to their security systems not being embedded within the DNS server itself and relying on third party products. By contrast, integrating advanced security within the DNS server allows advanced attack detection capabilities and the ability to apply adapted countermeasures (for instance, making it easier to understand what types of attacks occur and what actions should be taken to mitigate them). A solid DNS security system coupled with high performing servers open up new possibilities for future IT architecture design.

Clearly, less complexity offers better security for telecommunication IT departments. But how do we get there? Here are the three actions telcos can take to meet the concurrent challenges of performance, security and costs:

Action 1 – Optimize the IT infrastructure with high performance DNS servers